[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GAK Advisory Board
>From URL: http://csrc.ncsl.nist.gov/csspab/minutes.395
Minutes of the March 22-23, 1995 Meeting of the
Computer System Security and Privacy Advisory Board
Wednesday, March 22, 1995
Introduction
A quorum being present, the Chairman, Dr. Willis Ware,
called the meeting to order at 9:00 a.m. at the Holiday
Inn, Gaithersburg, Maryland. Besides Dr. Ware, the
following Board members were present: Charlie Baggett
Jr., Genevieve Burns, Cris Castro, Don Gangemi, Sandra
Lambert, Henry Philcox, Randy Sanovic, Stephen Trodden,
Steve Walker [TIS], and Bill Whitehurst [IBM].
[Snip long section on security assurance standards and
methods in US, Canada and UK.]
Update on X/Open Branding Project
Mr. Bill Whitehurst, IBM, gave a brief update of the
activities of the X/Open Branding Project.
Two major components exist within their branding concept:
(1) the ability to implement functionality based on a
minimum set of assurance functionality requirements
(MSFR), and (2) the confidence in the development process
for achieving the functionality.
He said that the workgroup meeting, hosted by Hewlett
Packard, was held early in March. The group plans to
re-write their document to include some type of
evaluation process prior to the vendor product getting
branded. X/Open plans to have a public review of the
changes this summer.
Vendor Perspective
Ms. Linda Vetter, Oracle Corporation, presented oracle's
views of security assurance. She discussed three types
of assurance issues: (1) governent evaluation and
certification; (2) third party evaluation and
certification (government and business sponsored); and
(3) vendor claims.
Ms. Vetter explained Oracle s evaluation experience for
two DBMS server product s, Oracle7 and Trusted Oracle7,
in both the US and the UK. Oracle used the US TCSEC TPEP
evaluation for B1 and C2 systems. They also used the UK
ITSEC evaluation for E3 systems (which is the equivalent
for US B1 and C2 systems). The UK process took
significantly less time and cost less money for an
identical product. Ms. Vetter suggested that NIST/NSA
look into developing equivalent/comparable trust levels
between the two different evaluation criteria methods as
well as those for other countries. This would minimize
the need to have different evaluations performed (one for
each country) for the same product.
Oracle has on-going work in other areas (e.g., RAMP, CMM,
ISO, and Audits) as well as multiple CLEFS with the UK,
Sweden, France and Germany. Ms. Vetter explained the
differences in criteria between the TCSEC and the ITSEC.
She said that the ITSEC requirements for the content of
evaluation deliverables formed a superset of the
corresponding TCSEC requirements for the evaluations.
However, the TCSEC creates a framework for the
presentation of these requirements and there can be
little deviation from this.
Oracle would like to see more concentration on low-end
assurance requirements and processes. This would enable
various sectors like health care, banking, and financial
industries to have protection for unclasified to
sensitive data. Ms. Vetter encouraged NSA to continue
its efforts in modeling (Common Assurance Framework,
TCMM, and SE CMM) and would discourage any more efforts
in product profiling. The modeling efforts encourage
vendor quality improvement, promotes flexibility in
meeting assurance objectives, and are transferable to
other private sector domains besides DoD. (See Reference
#8).
Wrap-up and Restatement of Issues
Dr. Katzke summarized the discussion of assurance by
saying that opportunities exist to look at alternatives.
He is not sure what the government's role is or which
areas to concentrate on with respect to cost. He said
that he could continue with the same level of effort that
is going on now with community involvement. He is open
to suggestions with regard to the assurance process.
Discussion
After a lengthy discussion on the state of the Common
Criteria (CC) and assurance approaches and issues, some
of the major points from individual Board members
included:
- Concern as to when the CC will be widely accepted and
used;
- Whether to adopt the ITSEC now and migrate to CC;
- The need to simplify the CC;
- Building assurance and quality into the new assurance
framework;
- Clearly define assurance needs to be universally
understood;
- Conduct more C2 and below evaluations in the US;
- Concentrate on low-end assurance; and
- Bring key industry players into the process.
[Snip]
Board members continued their discussion of criteria and
assurance from the previous day. Some of the major
points of the discussion from Board members included the
need:
- for OMB to state the need for C2 level evaluation
compliance for various government product purchases;
- for NSA to make a statement about equivalency among
all existing non-US trust levels;
- to begin using components of the Common Criteria and
gradually migrate to it;
- to continue a wide range of assurance framework
options and procedures; and
- to focus on low-end assurance methods and encourage C2
level evaluation along the following Canadian AL-1
evaluation.
[Snip]
Status of Key Escrow Initiative
Mr. Steve Walker, Trusted Information Systems (TIS),
briefed the Board on the status of Commercial Key Escrow
(CKE). He said, with regard to application vendors, TIS
is actively seeking the participation of commercial
software vendors in widespread implementation of CKE
enabled software products. TIS has installed a Data
Recovery Center (DRC) on the Internet and is prepared to
distribute sample DRC application software packages to
any interested software application developer. TIS is
seeking approval of the US government for export of
application programs using encryption algorithms such as
the Data Encryption Standard (DES) when properly bound
with CKE.
Mr. Walker said the advantages of CKE for government
interests is that if the TIS CKE system were to become
widely used throughout the private sector and government
communities, law enforcement, national security and
private sector interests would be preserved.
Mr. Walker said that TIS has filed for patent protection
for its Software Key Escrow (Clipper equivalent) and CKE
systems including the DRC and application software
approaches. TIS is prepared to license its CKE system
and software applications technology to any software or
hardware vendor under very favorable licensing terms.
TIS is also prepared to license its DRC system and
technology to qualified DRC operators and vendors under
similarly favorable licensing terms. (See Reference
#13).
[Snip]
----------
>From URL: http://csrc.ncsl.nist.gov/csspab/csspab.txt
National Computer System Security
and Privacy Advisory Board
Identifying Emerging Computer Security Issues
What is the Computer System Security and Privacy Advisory
Board (CSSPAB)?
Congress established the CSSPAB as a public advisory
board in the Computer Security Act of 1987. The Board is
composed of twelve members, in addition to the
Chairperson, who are recognized experts in the fields of
computer and telecommunications systems security and
technology.
What is the Board's purpose?
The Computer Security Act specifies that the Board's
mission is to identify emerging managerial, technical,
administrative, and physical safeguard issues relative to
computer systems security and privacy.
What is the scope of the Board's authority?
The Board examines those issues affecting the security
and privacy of sensitive unclassified information in
federal computer and telecommunications systems. The
Board's authority does not extend to private-sector
systems or federal systems which process classified
information.
What are the board's advisory and reporting functions?
The Board advises the Secretary of Commerce and the
Director of the National Institute of Standards and
Technology (NIST) on computer security and privacy issues
pertaining to sensitive unclassified information stored
or processed by federal computer systems. The Board
reports its findings to the Secretary of Commerce, the
Director of the Office of Management and Budget, the
Director of the National Security Agency, and appropriate
committees of Congress.
How often and where does the Board meet?
The Board holds its two-day meetings twice per year;
however, additional meetings may be called at the
Chairperson's discretion. Board meetings are held in the
Washington, DC metropolitan area as well as other areas
in which there is significant federal computer security
interest and activity.
Are Board meetings open to the public?
In accordance with the Federal Advisory Committee and
Government in Sunshine acts, Board meetings are announced
in the Federal Register and are normally open to the
public. The Board accepts written statements from the
public (see address on reverse).
How is CSSPAB membership determined?
The Director of NIST of the Department of Commerce
appoints Board members for four-year terms. By law, the
membership of the Board is distributed as follows:
- Four experts from outside of federal government, one
whom is representative of small- or medium-size firm;
- Four non-government employees who are not employed by
or a representative of a producer of computer or
telecommunications equipment; and
- Four members from the federal government, including
one from the National Security Agency of the
Department of Defense.
Nominations to fill vacancies on the Board may be
submitted to the Director of NIST.
NIST personnel serve as the Board's Secretariat. Other
federal agency personnel may also assist the Board's
activities as specified in the Computer Security Act of
1987.
Are Board members paid for their service?
Board members do not receive a salary or stipend;
however, authorized travel expenses are reimbursed as
specified by Congress.
*******************************************************
For further information, please contact:
Computer System Security and Privacy Advisory Board
Executive Secretariat
National Computer Systems Laboratory
Technology Building, Room B-154
National Institute of Standards and Technology
Gaithersburg, MD 20899